Issue Date:
Revision:
APNIC Internet Resource Management (IRM) Tutorial
17 May 2016
2.3.0
20-22 March 2017 Bandar Seri Begawan, Brunei Darussalam
Jessica Wei
Training Officer, APNIC
After graduating from China’s Huazhong University of Science and Technology in 2007 with a degree in electronic engineering, Bei(whose nickname is Jessica) joined Huawei as a network training officer.Over the next six years, she provided Huawei technical training on LAN/WAN systems, broadband access, IP core and IP mobile backhaul networks as well as working on technical training course design and the development of IP training materials. At the Huawei training center in China she provided technical training to engineers and administrators from more than 15 nations including Viet Nam, Papua New Guinea, Thailand, Pakistan and Bangladesh. She has also travelled to Bangladesh, Venezuela, Colombia, Egypt, Malaysia, Australia, Thailand, Indonesia and Singapore to provide training.
Contact:Email: [email protected]
Presenter
PresenterWita Laksono
Internet Resource Analyst
Specialties: Routing & SwitchingInternet Resource ManagementMyAPNIC
Contact:Email: [email protected]
Agenda
• Introduction to APNIC• Policy Development Process• Internet Registry Policies
• Requesting IP Addresses• APNIC Whois Database • Using MyAPNIC
• Resource Certification (RPKI)
4
• Asia-Pacific Network Information Centre
• One of five Regional Internet Registry (RIRs) charged with ensuring the fair distribution and responsible management of IP addresses and related resources
• A membership-based, not-for-profit organization
• Industry self-regulatory body– Open– Consensus-based– Transparent
5
Where is the APNIC Region?
6
Resource distribution- IP addresses- AS numbers
Registration services- reverse DNS- Internet routing
registry- resource certification- whois registry
7
What does APNIC do?APNIC servicesMembers
Policy development
Capacity building- training- workshops- conferences- fellowships- grants
Infrastructure- root servers- IXPs- engineering
assistance
8
What does APNIC do?APNIC supportsthe Asia Pacific region
9
Original research
Data collection and measurements
Publications
Local/regional/global events
Government outreach
Intergovernmental & technical organizations collaboration
Internet security
What does APNIC do?APNIC collaborateswith the Internetcommunity
APNIC in the Internet Ecosystem
10
Industryassociations
NGOs
Nameregistries
Access
Standardsbodies
Governments/Regulators
At-largecommunities
INTERNETUSERS
Applications
ContentENABLERS
PROVIDERSOperator
groups
Numberregistries
APNIC is one of five RIRs
ASIA PACIFIC REGION
Support
APNIC MEM
BERS
INTE
RNET
COM
MUNITY
Service
Colla
bora
tio
n
Resource distribution- IP addresses- AS numbers
Registration services- reverse DNS- Internet routing
registry- resource certification- whois registry Policy development
Capacity building- training- workshops- conferences- fellowships- grants
Infrastructure- root servers- IXPs- engineering
assistance
Original research
Data collection and measurements
Publications
Local/regional/global events
Government outreach
Intergovernmental & technical organizations collaboration
Internet security
Internet Registry Structure
11
APNIC – Vision
A global, open, stable, and secure Internet that serves the entire Asia Pacific community.
How we achieve this:• Serving Members
• Supporting the Asia Pacific Region• Collaborating with the Internet Community
12
APNIC – Mission
• Function as the Regional Internet Registry for the Asia Pacific, in the service of the community of Members and others
• Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy
• Provide information, training, and supporting services to assist the community in building and managing the Internet
• Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment
• Provide leadership and advocacy in support of its vision and the community
• Facilitate regional Internet development as needed throughout the APNIC community
13
APNIC from a Global Perspective
14
APNIC in the Asia Pacific
15
ISOC chapters
Global Policy Coordination
The NRO is a coordinating body for the five regional Internet registries (RIRs)
www.nro.net
16
Global Policy Coordination
The purpose of the Address Supporting Organization (ASO) is to review and develop recommendations on Internet Protocol (IP) address policy
and to advise the ICANN Board.
ASOICANN Address Supporting Organization
https://aso.icann.org/
17
Where do IP Addresses come from?
18
Standards
Allocation
Allocation
Assignment
End user
RIRs
LIR/ISP
19
Agenda
• Introduction to APNIC
• Policy Development Process
• Internet Registry Policies• Requesting IP Addresses
• APNIC Whois Database • Using MyAPNIC
• Resource Certification (RPKI)
20
Policy Development
• Creating a policy environment that supports the region’s Internet development
• Developed by the membership and broader Internet community
21
You are part of the APNIC community!
22
APNIC Internet Community
Global Internet Community
Open forum in the Asia Pacific
APNICMembers
A voice in regional Internet operations through participation in APNIC
IETF Individuals
NationalNOG
RegionalNOGAPAN
ISOC
ISPAssociations
Policy Development Process
23
All decisions & policies documented & freely available to anyone
Internet community proposes and approves policy
Open
TransparentBottom up
Anyone can participate
Bef
ore
meeting
Authorproposes policyor amendment
Communitydiscusses
proposal on SIG mailing list
Policy Development ProcessBefore the conference
• Submit proposed policy to the APNIC Secretariat
• SIG Chair posts the proposal to mailing list
• Community discusses proposal
24
Policy Development Process
B
efore
meeting
Authorproposes policyor amendment
Communitydiscusses
proposal on SIG mailing list
Befo
re
meeting
Authorproposes policyor amendment
Communitydiscusses
proposal on SIG mailing list
During meeting
Communitydiscusses proposalface to face in SIG
SIG Chairgauges consensus
During the conference
• Proposed policies are presented at the Open Policy Meeting (OPM)
• Community comments on the proposal
• If it reaches consensus, SIG Chair reports the decision at the APNIC Member Meeting (AMM)
25
Policy Development ProcessAfter the conference
• Within a week, proposal is sent back to mailing list
• A comment period between 4-8 weeks is given
• If it reaches consensus, SIG Chair asks the Executive Council (EC) to endorse the proposal
• APNIC EC endorses proposal
• APNIC Secretariat implements the policy (minimum of 3 months)
During meeting
Bef
ore
meeting
Authorproposes policyor amendment
Communitydiscusses
proposal on SIG mailing list Community
discusses proposalface to face in SIG
During meetingBe
fore
meeting
Authorproposes policyor amendment
Communitydiscusses
proposal on SIGmailing list Community
discusses proposalface to face in SIG
After meeting
SIG Chairgauges consensus
Communityhas chance to raiseany final objections
during final call
SIG Chairconfirms
consensus
Executive Council(EC) endorses
policy
Secretariatimplements
policy
26
Policy Discussions
• Comment– Participants are encouraged to comment on the proposal
• Discuss– The Chair encourages discussion about the pros and cons of the
proposal
• Show of hands – to broadly measure opinion – not a vote
• Consensus – declared if there are no objections
27
How to Participate
• Read the policy proposals currently under discussion• Check out discussions on the Policy SIG mailing list
• Join the discussion at APNIC conferences– webcast (live streaming)– live transcripts– comment on Jabber chat
• Provide your feedback– Training or community outreach events
28
29
Agenda
• Introduction to APNIC• Policy Development Process
• Internet Registry Policies• Requesting IP Addresses• APNIC Whois Database • Using MyAPNIC
• Resource Certification (RPKI)
30
Growth of Global IPv4 Routing Table
http://www.cidr-report.org/as2.0/
653589 prefixesAs of 10 Feb 2017
2009: The GFC hits the Internet
2011: Address Exhaustion
2005: Broadband to the Masses2001: The Great Internet Boom and Bust
1994: Introduction of CIDR
Projected growth of
routing table before CIDR CIDR
deployment
Dot-Com boom
Sustainablegrowth
31
Growth of Global IPv6 Routing Table
http://www.cidr-report.org/as2.0/
36501 prefixesAs of 26 Feb 2017
32
2011: IPv4 Address Exhaustion
IRM Objectives
33
- Efficient use of resources- Based on demonstrated need
Conservation
- Limit routing table growth- Support provider-based routing
Aggregation
- Ensure uniqueness- Facilitate trouble shooting
Registration
Uniqueness, fairness and consistency
How IP Addresses are Delegated
34
Member (LIR)
LIR customer
Regi
stry
Rea
lm
Ope
rato
rs R
ealm
Customer / End User
delegates to customers
delegates to APNIC member
Member Allocation
/26 /27 /25
Customer Assignments
Sub Allocation
/26 /27
APNIC Allocation
/8
/24
APNIC
Customer Assignments
ISPAllocation
Customer Assignments
ISP
Portable and Non-Portable
• Portable Address– Provider-Independent (PI)– Assigned by RIR to end-user– Keep addresses when changing
ISP– Increases the routing table size
• Non-portable Address– Provider-aggregatable (PA)– End-user gets address space from
LIR– Must renumber if changing
upstream provider– Can be aggregated for improved
routing efficiency
35
IPv6 Address Management Hierarchy
36
Describes “portability” of the address space
/12 APNIC Allocation
Portable
Portable
/48 Assignment /48 - /64 Assignment
APNIC Allocation
/48 - /64Assignment
Non-Portable Non-Portable
/40
/32 Member Allocation
Non-Portable
/12
Sub-allocation
Aggregation and Portability
37
Aggregation No Aggregation
(non-portable assignments)
(4 routes) (21 routes)
(portable assignments)
INTERNET INTERNET
ISP A ISP B ISP B
ISP C ISP D
ISP A
ISP C ISP D
APNIC Policy Environment
• Internet resources are delegated on a license basis– Limited duration (usually one year)– Renewable on the following conditions
• Original basis of delegation remains valid• Address space is properly registered at the time of renewal
• Security and confidentiality– APNIC to maintain systems and practices that protect the
confidentiality of Members’ information and their customers
38
https://www.apnic.net/policy/policy-environment
Allocation Policies
• Aggregation of allocation– Provider responsible for aggregation– Customer assignments / sub-allocations must be non-portable
• Allocations based on demonstrated need– Detailed documentation required
• All address space held are to be declared
39
IPv4 Allocation Policies
• APNIC IPv4 allocation size per account holder– Minimum /24– Maximum /21/22 from final /8 block/22 from the recovered block
• According to current allocation from the final /8 block
• Based on demonstrated need
40
Member allocation
Non-portableassignment
Non-portableassignment
/8
/22
APNIC
IPv4 Sub-allocation
• No max or min size– Max 1 year requirement
• Assignment Window & 2nd Opinion – applies to both sub-allocation & assignments– Sub-allocation holders don’t need to send in 2nd opinions
41
APNIC MemberAllocation
Sub-allocation
Customer Assignments Customer Assignments
/24
/27 /26
/22
/25 /26 /27
What is an Assignment Window?
“The amount of address space a member may assign without a ‘second opinion’”
• All members have an Assignment Window– Starts at zero, increases as member gains experience in address
management
• Second opinion process– Customer assignments require a ‘second-opinion’ when proposed
assignment size is larger than member’s current Assignment Window
42
Assignment Window
• Size of Assignment Window– Evaluated after about three 2nd-opinion requests– Increased as member gains experience and demonstrates
understanding of policies• Assignment Window may be reduced, in rare cases
• Why an Assignment Window?– Monitoring ongoing progress and adherence to policies– Mechanism for member education
43
IPv6 / IPv4, Assignment / Sub-allocation
Network name, description, country
Planned IP usage
Customer’s existing network Customer assignments to end-sites
Sub-allocation infrastructure
Additional information
Confirm details
Contact details, password
IPs held by customer IPs held by customer & customer’s customers
IPv4 Sub-allocations IPv4/IPv6 Assignments
Any additional info that may aid the evaluation
Check your details
Applicant information
Type of request
Network name
Future network plan
2nd OpinionRequest
44
2nd Opinion Request ApprovalDear XXXXXXX,
APNIC has approved your "second opinion" request to make the following assignment:
[netname]
[address/prefix]
* Please ensure that you update the APNIC whois database to register this assignment before informing your customer or requesting reverse DNS delegation. Do this using the form at:
http://www.apnic.net/apnic-bin/inetnum.pl
Important:
Unregistered assignments are considered as "unused"
45
IPv6 Allocation Policies
• Initial allocation criteria– Minimum of /32 IPv6 block– Larger than /32 may be justified
• For APNIC Members with existing IPv4 space– One-click Policy (through MyAPNIC)
• Without existing IPv4 space– Must meet initial allocation criteria
• Subsequent allocation– Based on HD ratio (0.94)– Doubles the allocated address space
46
IPv6 Utilisation (HD = 0.94)IPv6 Prefix
Site Address Bits
Total site address in /56
Threshold (HD = 0.94)
Utilisation %
/42 14 16,384 9,153 55.9%
/36 20 1,048,576 456,419 43.5%
/35 21 2,097,152 875,653 41.8 %
/32 24 16,777,216 6,185,533 36.9%
/29 27 134,217,728 43,665,787 32.5 %
/24 32 4,294,967,296 1,134,964,479 26.4 %
/16 40 1,099,511,627,776 208,318,498,661 18.9 %
RFC 3194 “In a hierarchical address plan, as the size of the allocation increases, the density of assignments will decrease.”
47
IPv6 Sub-allocation
All /48 assignments to end sites must be registeredLIR must submit a second opinion request for assignments greater than /48
48
APNIC MemberAllocation
Sub-allocation
Customer Assignments Customer Assignments
/40
/64 /48
/32
/64 /56 /48
IPv6 Assignment Policies
• Assignment address space size– Minimum of /64 (only 1 subnet)– Normal maximum of /48
• Assignment of multiple /48s to a single end site– Documentation must be provided– Will be reviewed at the RIR/NIR level
• Assignment to operator’s infrastructure– /48 per Point-of-Presence of an IPv6 service operator
49
Portable Assignments
• Small multi-homing assignment– For (small) organisations who require a portable assignment for
multi-homing purposes
• Criteria– Currently multi-homed, or currently using at least a /24 from its
upstream provider and intends to be multihomed, or intend to be multihomed, and advertise the prefixes within 6 months
– Demonstrate need to use 25% of requested space immediately, and 50% within 1 year
50
IXP Assignments
• L1 or L2 network structure that interconnects 3 or more autonomous systems (AS) for internet traffic exchange
• Eligible to receive a delegation to be used exclusively to connect IXP participants devices to the Exchange Point
• Criteria:– 3 or more peers– Demonstrate “open peering policy”
• Assignment size– IPv4: /24– IPv6: /48 minimum
51
Portable Critical Infrastructure
• What is Critical Internet Infrastructure?– Domain registry infrastructure
• Root DNS operators, gTLD operators, ccTLD operators– Address Registry Infrastructure
• RIRs & NIRs, IANA
• Why a specific policy? – To protect the stability of core Internet functions
• Assignment size– IPv4: /24 – IPv6: /32 (maximum)
52
Sub-delegation Guidelines
• Sub-allocate cautiously– Seek APNIC advice if in doubt– If customer requirements meet the minimum allocation criteria,
customers can approach APNIC for portable allocation
• Efficient assignments– ISPs responsible for overall utilisation
• Database registration (WHOIS database)– Sub-allocations & assignments to be registered in the database
53
IPv4 Transfer Policies
• Between APNIC Members– Minimum transfer size of /24– Source entity must be the currently registered holder of the IPv4
resources– Recipient entity will be subject to current APNIC policies
• Inter-RIR IPv4 Transfers– Minimum transfer size of /24– Conditions on the source and recipient RIR will apply
54
IPv4 and ASN Transfer
55
• Transfer of IPv4 and AS Numbers between– APNIC Members (✓)– APNIC and NIR (✓)– APNIC and RIR (✓)
Transfer of IPv4 and AS Numbers between APNIC Members
56
• How to initiate such transfer request?– Source account to initiate transfer and recipient account to accept
transfer via MyAPNIC– Recipient account to justify the needs of the resources that will be
transferred
• Is there any transfer fees involved?– www.apnic.net/fees
Transfer of IPv4 and AS Numbers between APNIC and NIR
57
• Transfer from NIR Member to APNIC Member, or vice versa– Source account to initiate transfer request– IR of source account to contact IR of recipient account
• Who will be evaluating the request?– IR of the recipient account to evaluate transfer request
• How long will the whole process take?– Depends on how long correspondence is between the recipient and
IR
Transfer of IPv4 and AS Numbers between APNIC and RIR
58
• Similar to transfer between NIR and RIR• Transfer from RIR Member to APNIC Member, or vice
versa– Source account to initiate transfer request– IR of the recipient account to evaluate transfer request
www.apnic.net/transfer
Historical Resources
• Internet resources registered under early registry policies without formal agreements
• It includes:– Registrations transferred to APNIC as part of the AUNIC to APNIC
migration– Registrations transferred as part of the Early Registration Transfer
(ERX) project– Historical APNIC resources
59
https://www.apnic.net/policy/historical-resource-policies
Historical Resource Transfer
• Bring historical resource registrations into the current policy framework – Allow transfers of historical resources to APNIC Members – The recipient of the transfer must be an APNIC Member– No technical review or approval – Historical resource holder must be verified – Resources will then be considered as "current"
• Address space subject to current policy framework
60
61
Agenda
• Introduction to APNIC• Policy Development Process
• Internet Registry Policies
• Requesting IP Addresses• APNIC Whois Database • Using MyAPNIC
• Resource Certification (RPKI)
62
How do I get addresses?
• Decide what kind of number resources you need– IPv4? IPv6? Both?
• Check your eligibility– On the website www.apnic.net– Contact the helpdesk [email protected]
• Become familiar with the policies– www.apnic.net/policy
• Apply for membership and resources
63
IPv4 Address Space
NRO Q4 2016
64
Available IPv4 /8s in Each RIR
NRO Q4 2016
65
How do I get addresses?
• Decide what kind of number resources you need– IPv4? IPv6? Both?
• Check your eligibility– On the website www.apnic.net– Contact the helpdesk [email protected]
• Become familiar with the policies– www.apnic.net/policy
• Apply for membership and resources
66
Check for Eligibility – IPv4
• Initial LIR delegation:– Have used a /24 from their upstream provider or demonstrate an
immediate need for a /24– Have complied with applicable policies in managing all address
space previously delegated to it (including historical delegations)– Demonstrate a detailed plan for use of a /23 within a year
67
Check for Eligibility – IPv4
• Small multihoming delegation:– Currently multihomed, – or currently using at least a /24 from its upstream provider and
intends to be multihomed, – or intend to be multihomed, and advertise the prefixes within 6
months
– Demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year
68
Check for Eligibility – IPv4
• Internet Exchange Points:– Eligible to receive a delegation from APNIC to be used exclusively to
connect the IXP participant devices to the Exchange Point
• Critical Infrastructure:– If operating in the Asia Pacific region, are eligible to receive a
delegation– Available only to the actual operators of the network infrastructure
performing such functions
69
Check for Eligibility – IPv6
• APNIC Members with IPv4 but no IPv6 automatically qualify for an appropriately sized block of IPv6 addresses– Members with an IPv4 allocation are eligible for a /32 IPv6– Members with an IPv4 assignment are eligible for a /48 IPv6
• Minimum initial allocation– Must be an LIR– Not be an end site– Plan to announce IPv6 within two years– Must meet one of these:
• Plan to make at least 200 assignments to other organizations within two years• Be an existing LIR with IPv4 allocations from an APNIC or an NIR, which will make
IPv6 assignments or sub-allocations within two years
70
How do I get addresses?
• Decide what kind of number resources you need– IPv4? IPv6? Both?
• Check your eligibility– On the website www.apnic.net– Contact the helpdesk [email protected]
• Become familiar with the policies– www.apnic.net/policy
• Apply for membership and resources
71
How do I get addresses?
• Decide what kind of number resources you need– IPv4, IPv6
• Check your eligibility– On the website www.apnic.net– Contact the helpdesk [email protected]
• Become familiar with the policies– www.apnic.net/policy
• Apply for membership and resources
72
Initial IP Address Request
• You are required to be an APNIC Member in order to initiate your IP address request.
• However, you can apply for membership and request an initial address allocation at the same time.
73
http://www.apnic.net/apply
Application Process
• Application– Have your information handy and complete the application form
• Evaluation– Info provided will be evaluated. APNIC will contact you if additional
info is required
• Payment – Once application is approved, Member receives an invoice
• Completion– APNIC activates the membership and delegate the resource
74
https://www.apnic.net/get-ip/application-process
New Member Application Form
75
Provide info about you andyour organisation
76
Select IPv4 or IPv6 and theblock size. Make sure youmeet the criteria.
77
Provide the type of ASNrequest, and details of twopeering networks
Initial Delegation
• APNIC IPv4 delegation size per account holder– Minimum of /24– Maximum of /21
/22 from the final /8 block/22 from the recovered block
• Initial IPv6 delegation criteria– Allocation
• Minimum of /32 IPv6 block• Larger than /32 may be justified
– Assignment• /48
78
79
Request for additionalresources can be donethrough MyAPNIC
80
Agenda
• Introduction to APNIC• Policy Development Process
• Internet Registry Policies• Requesting IP Addresses
• APNIC Whois Database • Using MyAPNIC
• Resource Certification (RPKI)
81
What is the APNIC Database?
• Public network management database– Operated by Internet Registries– APNIC maintains the database of resources for the AP region
• Tracks network resources– IP addresses, ASNs, Reverse DNS delegations, Routing policies
• Records administrative information– Contact information (person/role) of relevant resource holders– Authorization for updating these info– Network abuse handling (IRT)
82
Resource Registration
As part of the membership agreement with APNIC, all Members are required to register their resources
in the APNIC database.
• Members must keep records up to dateü When ever there is a change in contactsü When new resources are receivedü When resources are sub-allocated or assigned
83
Whois Object TypesOBJECT PURPOSEperson Technical or administrative contacts responsible for an
objectrole Technical or administrative contacts represented by a role,
performed by one or more peopleinetnum Allocation or assignment of IPv4 address spaceinet6num Allocation or assignment of IPv6 address spaceaut-num Registered holder of an AS number and corresponding
routing policydomain in-addr.arpa (IPv4) or ip6.arpa (IPv6) reverse DNS
delegationsroute / route6 Single IPv4/IPv6 route injected into the Internet routing
meshmntner Authorized agent to make changes to an objectirt Dedicated abuse handling team
84
Objects for New Members
• If you are receiving your first allocation or assignment, APNIC will create the following objects for you:– role object– inetnum / inet6num object – aut-num object – maintainer object – irt object
• Information is taken from your application for resources and membership
85
86
http://www.apnic.net/whois
What if Whois information is invalid?
• Members are responsible for reporting changes to APNIC under the formal membership agreement
• Report invalid contact details to APNIC– http://www.apnic.net/invalidcontact– APNIC will contact the Member responsible to update the registration
87
What if Whois information is invalid?
• Customer assignment information is the responsibility of the LIR– LIR must update their customer network registrations
• Tools such as traceroute, looking glass may be used to track the upstream provider if needed
88
Using the Whois – Step by Step
89
inetnum:
Allocation (Created by APNIC)
3
Customer Assignments (Created by Member)
person: nic-hdl:
KX17-AP
Contact info
Data Protection
1
2
inetnum: ... KX17-AP ... mnt-by: ...
4 inetnum: ...
...
...
5 inetnum: ... KX17-AP ...
...
6
mntner: mnt-by: mnt-by:
KX17-AP
Inetnum / Inet6num Objects
• Contains IP delegation information
• APNIC creates an inetnum or inet6num object for each delegation they make to the Member
• All members must create inetnum or inet6num objects for each sub-allocation or assignment they make to customers
90
Inet6num Objectinet6num: 2406:6400:FFFF::/48netname: ABCINTERNET-IPv6descr: IPv6 address block for ABC INTERNETcountry: SGadmin-c: AINT1-APtech-c: AINT1-APmnt-by: MAINT-SG-ABCINTERNETmnt-lower: MAINT-SG-ABCINTERNETmnt-routes: MAINT-SG-ABCINTERNETmnt-irt: IRT-ABCINTERNET-SGstatus: ALLOCATED NON-PORTABLEchanged: [email protected] 20160503source: APNIC
Role and maintainer object reference
Status shows the type of delegation
91
Person Object
• Represents a contact person for an organization– Every Member must have at least one contact person registered – Large organizations often have several contacts for different
purposes
• Referenced in other objects
• Has a nic-hdl – a unique identifier for a person or role object
Format: [A-Z][0-9]-AP
92
Person Objectperson: Nelly Tanaddress: 1000 Jalan Bukit Merahcountry: SGphone: +65 6400 7333fax-no: +65 6400 7334e-mail: [email protected]: NT324-APmnt-by: MAINT-SG-ABCINTERNETchanged: [email protected] 20160503source: APNIC
93
Role Object
• Contains details of technical or administrative contacts as represented by a role performed by one or more people within an organization
• Also has a nic-hdl
• Preferred over person object as reference in other objects– Eases administration
94
Role Objectrole: ABC Internet Network Teamaddress: 1000 Jalan Bukit Merahcountry: SGphone: +65 6400 7333fax-no: +65 6400 7334e-mail: [email protected]: AB731-APtech-c: NT324-APnic-hdl: AINT1-APmnt-by: MAINT-SG-ABCINTERNETchanged: [email protected] 20160503source: APNIC
Points to a person object
95
Replacing Contacts – Person Object
96
KX17-AP is the original contact Referenced by three (or more) objects
BW101-AP is replacing him Update all three (or more) objects with new contact one by one
Delete old contact KX17-AP
Customer Assignments (Created by Member)
person: nic-hdl:
KX17-AP
Contact info
1 person: nic-hdl:
BW101-AP
Contact info
2
inetnum: ... KX17-AP ... mnt-by: ...
4 inetnum: ...
...
...
5 inetnum: ... KX17-AP ...
...
6
mnt-by: mnt-by:
KX17-AP
Replacing Contacts – Person Object
97
KX17-AP is the original contact Referenced by three (or more) objects
BW101-AP is replacing him Update all three (or more) objects with new contact one by one
Delete old contact KX17-AP
Customer Assignments (Created by Member)
person: nic-hdl:
KX17-AP
Contact info
1 person: nic-hdl:
BW101-AP
Contact info
2
inetnum: ... BW101-AP ... mnt-by: ...
4 inetnum: ...
...
...
5 inetnum: ... BW101-AP ...
...
6
mnt-by: mnt-by:
BW101-AP
Replacing Contacts – Role Object
98
role: nic-hdl: AT480-AP ... tech-c:
No change in inetnum objects Customer Assignments (Created by Member)
person: nic-hdl: KX17-AP
Contact info
1 person: nic-hdl: BW101-AP
Contact info
2
KX17-APContact info
3
inetnum: ... AT480-AP ... mnt-by: ...
inetnum: ...
...
...
inetnum: ... AT480-AP...
... mnt-by: mnt-by:
AT480-AP
Replace old contact with new contact in Role object
Replacing Contacts – Role Object
99
role: nic-hdl: AT480-AP ... tech-c:
No change in inetnum objects Customer Assignments (Created by Member)
person: nic-hdl: KX17-AP
Contact info
1 person: nic-hdl: BW101-AP
Contact info
2
BW101-APContact info
3
inetnum: ... AT480-AP ... mnt-by: ...
inetnum: ...
...
...
inetnum: ... AT480-AP...
... mnt-by: mnt-by:
AT480-AP
Replace old contact with new contact in Role object
Whois Database Query
Flags Meaning
-l / -L less specific
-m / -M More specific
-x Exact match
-d Associated reverse domain
-I Inverse attributes
-T Object types
100
Whois Database Query - inetnum
101
inetnum: 202.64.0.0 – 202.64.15.255
202.64.0.0/20
inetnum: 202.0.0.0 – 202.255.255.255
202.0.0.0/8
202.64.12.128/25
inetnum:
whois–L 202.64.0.0 /20
whois 202.64.0.0 /20
whois–m 202.64.0.0 /20 inetnum: 202.64.15.192/26
inetnum: 202.64.10.0/24
More specific (= smaller blocks)
Less specific (= bigger block)
Inverse Queries
• Inverse queries are performed on inverse keys See object template (whois –t)
• Returns all public objects that reference the object with the key specified as a query argument
Practical when searching for objects in which a particular value is referenced, such as your nic-hdl
Syntax: whois -i <attribute> <value>
102
Customer Privacy
• Public data– Includes portable and non-portable addresses (inetnum)
and other objects (route, domain, etc)– must be visible
• Private data– Includes non-portable addresses (inetnum objects)– Members have the option to make private data visible
103
What needs to be visible?
104
IANA range
Non-APNIC range APNIC range
NIR range APNIC allocations & assignments
NIR allocations & assignments
Customer assignments Infrastructure Sub-allocations
must be visible
visibility optional
LIR/ISP
PORTABLE addresses
NON-PORTABLE addresses
What is a Maintainer?
• Protects objects in the Whois Database• Applied to any object created directly below that maintainer
object• Why do we need Maintainer?
– Prevent unauthorized person from changing the details in the Whois– As parts of a block are sub-allocated or assigned, another layer of
maintainers is often created to allow the new users to protect their (sub)set of addresses
• Authentication options– CRYPT-PW, MD5, PGPKEY
105
Maintainer Objectmntner: MAINT-SG-ABCINTERNETdescr: Maintainer for ABC Internetcountry: SGadmin-c: AINT1-APtech-c: AINT1-APupd-to: [email protected]: # Filtered mnt-by: MAINT-SG-ABCINTERNETreferral-by: APNIC-HMchanged: [email protected] 20160503source: APNIC
106
mnt-by and mnt-lower Attributes
• mnt-by– Used to protect any object– Changes to protected object must satisfy authentication rules of
mntner object
• mnt-lower– Used for sub-assignment creation (customer assignment)
• mnt-routes– Used for the creation of route or route6 objects – inetnum, inet6num and aut-num must have the same mnt-route
maintainer
107
Authorisation Mechanism user1@www:~$ whois -h whois.apnic.net 2406:6400::/32
% Information related to '2406:6400::/32'
inet6num: 2406:6400::/32netname: APNIC-TRAININGIPv6-Lab-APdescr: APNIC TRAINING Labdescr: LEVEL 1, 33 PARK RDcountry: AUadmin-c: AT480-APtech-c: AT480-APmnt-by: APNIC-HMmnt-lower: MAINT-AU-APNICTRAININGmnt-routes: MAINT-AU-APNICTRAININGstatus: ALLOCATED PORTABLE
108
1. This object can only be modified by APNIC-HM
2. Creation of more specific objects within this range has to pass the authentication of MAINT-AU-APNICTRAINING3. Creation of route objects matching/within this range has to pass the authentication of MAINT-AU-APNICTRAINING
12
3
Status and MNT-by (1)
109
/12 APNIC Allocation
Portable
Portable
/48 Assignment /48 - /64 Assignment
APNIC Allocation
/48 - /64Assignment
Non-Portable Non-Portable
/40
/32 Member Allocation
Non-Portable
/12
Sub-allocation
Status: Assigned Portablemnt-by: APNIC-HMmnt-routes: MAINT-NETA
Status and MNT-by (2)
110
/12 APNIC Allocation
Portable
Portable
/48 Assignment /48 - /64 Assignment
APNIC Allocation
/48 - /64Assignment
Non-Portable Non-Portable
/40
/32 Member Allocation
Non-Portable
/12
Sub-allocation
Status: ALLOCATED PORTABLEmnt-by: APNIC-HMmnt-lower: MAINT-NETBmnt-routes: MAINT-NETB
Status and MNT-by (3)
111
/12 APNIC Allocation
Portable
Portable
/48 Assignment /48 - /64 Assignment
APNIC Allocation
/48 - /64Assignment
Non-Portable Non-Portable
/40
/32 Member Allocation
Non-Portable
/12
Sub-allocation
Status: ASSIGNED NON-PORTABLEmnt-by: MAINT-NETBmnt-routes:MAINT-NETB
Status and MNT-by (4)
112
/12 APNIC Allocation
Portable
Portable
/48 Assignment /48 - /64 Assignment
APNIC Allocation
/48 - /64Assignment
Non-Portable Non-Portable
/40
/32 Member Allocation
Non-Portable
/12
Sub-allocation
Status: ALLOCATED NON-PORTABLEmnt-by: MAINT-NETBmnt-lower: MAINT-CUSTOMERmnt-routes: MAINT-CUSTOMER
Maintainer of Allocated Portable Addressesinetnum: 61.45.248.0 - 61.45.255.255netname: APNICTRAINING-APdescr: APNIC TRAINING UNITdescr: 6 Cordelia St. South Brisbane, QLDcountry: AUadmin-c: AINT1-APtech-c: AINT1-APstatus: ALLOCATED PORTABLEmnt-by: APNIC-HMmnt-lower: MAINT-SG-ABCINTERNETmnt-routes: MAINT-SG-ABCINTERNETmnt-irt: IRT-ABCINTERNET-SG......changed: [email protected] 20100407changed: [email protected] 20160530changed: [email protected] 20170215source: APNIC
113
Maintainer of Assigned Non-Portable Addressesinetnum: 61.45.249.0 - 61.45.249.255netname: ABCINTERNET-IPv4-CustomerBdescr: IPv4 address block for Customer Bcountry: SGadmin-c: AINT1-APtech-c: AINT1-APgeoloc: 1.250198 103.828467status: ASSIGNED NON-PORTABLEmnt-by: MAINT-SG-ABCINTERNETmnt-routes: MAINT-SG-ABCINTERNETmnt-irt: IRT-ABCINTERNET-SGchanged: [email protected] 20160503changed: [email protected] 20170215source: APNIC
114
Whois IRT Contact
• Incident Response Team (IRT)– Dedicated abuse handling teams (not netops)
• IRT objects are mandatory when creating inetnum, inet6num and aut-num objects
• Provide an abuse contact email– Dedicated team to resolve incidents– Efficient and accurate response– Stops the tech-c and admin-c from getting abuse reports
115
IRT Object
irt: IRT-ABCINTERNET-SGaddress: 1000 Jalan Bukit Merah
address: SG
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: AINT1-AP
tech-c: AINT1-AP
auth: # Filtered
mnt-by: MAINT-SG-ABCINTERNET
changed: [email protected] 20160503
source: APNIC
116
Whois Database Geolocation
• A latitude/longitude coordinate indicating where users of this network are located
• Provides a hint to content and geolocation service providers
117
www.apnic.net/geolocation
Whois Object with Geolocationinetnum: 61.45.248.0 - 61.45.248.255netname: ABCINTERNET-IPv4-CustomerAdescr: IPv4 address block for Customer Acountry: SGadmin-c: AINT1-APtech-c: AINT1-APgeoloc: 1.250198 103.828467status: ASSIGNED NON-PORTABLEmnt-by: MAINT-SG-ABCINTERNETmnt-lower: MAINT-SG-ABCINTERNETmnt-routes: MAINT-SG-ABCINTERNETmnt-irt: IRT-ABCINTERNET-SGchanged: [email protected] 20160503source: APNIC
118
119
Agenda
• Introduction to APNIC• Policy Development Process
• Internet Registry Policies• Requesting IP Addresses
• APNIC Whois Database
• Using MyAPNIC• Resource Certification (RPKI)
120
What is MyAPNIC?
• A secure website that enables Members to manage Internet resources and account interactions with APNIC online
https://myapnic.net
121
How it Works
122
Firewall
Finance system
Membership & resource
system
Whois master
Member’s staff
APNICPublic
Servers
Client
MyAPNIC server
Member ID Person
Authority
https://myapnic.net
APNIC internal system APNIC public servers
Access to MyAPNIC
• Available to all authorized contacts of APNIC accounts by registering your email address and password
• Corporate Contacts can register and get instant access• Non-Corporate Contacts need their registration approved
by their Corporate Contact through MyAPNIC– Requestor must send the authorization code to the Corporate
Contact
123
www.apnic.net/corporate-contacts
MyAPNIC Registration
https://myapnic.net/register
124
• Go to www.myapnic.net
MyAPNIC Registration
125
Registration – Corporate Contact
126
Registration – Other Contacts
127
Send this authorisation code to your Corporate Contact
Registration – Other Contacts
128
Use the authorisation code to approve access
Registration – Other Contacts
129
Multiple Account Access
130
New tab for TOTP
MyAPNIC Two Factor Authentication
131
• Time-based One-Time Passwords (TOTP)
Required for:
• Online voting• Resource certification• Approve other non Corporate Contact certificate requests
• Edit permissions for non Corporate Contacts
For step by step instructions on how to activate TOTP in MyAPNIC, please visit our 2fa page.
www.apnic.net/2fa
Time-based One-Time Passwords (TOTP)
132
Time-based One-Time Passwords (TOTP)
133
“Remember Me” is valid for 30 days
MyAPNIC Digital Certificate
Required for:
• Online voting• Resource certification
• Approve other contacts’ certificate request
134
Request Certificate
135
List of all certificates generated for this account. You may also download the current certificate to install on a new browser.
Administration Features
136
Member and Contact details, including Billing history and Referral
Contact Management
137
Resource Management
138
Portal to list and update your current Internet resources
Maintainer Page
139
Maintainers associated with Member resource are added automatically and
cannot be deleted
One-Click IPv6
140
Claim your IPv6 address from
within MyAPNIC
One-Click IPv6
141
Manage Resources
142
Sub-allocation
143
Updating Attributes in Parent Object
144
Parent object updates
145
Highlighted attributes can be changed by user.The greyed-out attributes can only be changed by APNIC.
Requesting Resources
146
Displays the amount of delegations already received and available resources you can still request
Whois Updates
147
New “View” tab lets you view objects associated to your account
148
Select the Object type to view only these types of objects
Adding Objects
149
Adding objects
Updating Objects
150
Updating objects
Deleting Objects
151
Deleting objects
Bulk Update
152
Bulk Update
153
Resource Transfer / Return
154
Transfer Resources
155
Select multiple IPv4 and ASN blocks you wish to transfer.
Provide the recipient’s account name.
Receiving Resources
156
As recipient of the IP resource, you may choose to accept or reject the transfer.
157
158
Transfer Pre-approval
159
160
…..........
161
Referral Application
162
CC to Authorize Application
163
Available Utilities
164
Tools – IPv6 Sparse Assignment
165
Tools – IPv6 Subnet
166
Tools – Reverse Domain Verification
167
168
Agenda
• Introduction to APNIC• Policy Development Process
• Internet Registry Policies• Requesting IP Addresses
• APNIC Whois Database • Using MyAPNIC• Resource Certification (RPKI)
169
What is RPKI?
• Resource Public Key Infrastructure (RPKI)• A robust security framework for verifying the association
between resource holder and their Internet resources• Created to address the issues in RFC 4593 “Generic
Threats to Routing Protocols”• Helps to secure Internet routing by validating routes
– Proof that prefix announcements are coming from the legitimate holder of the resource
RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012)
170
“Right” to Resources
• Organization gets its resources from the RIR • Organization notifies its upstream of the prefixes to be
announced• Upstream must check the WHOIS database if resource has
been delegated to customer
We need to be able to authoritatively prove who owns an IP Prefix and what AS(s) may announce it.
171
APNIC Resource Certification
• A robust security framework for verifying the association between resource holders and their Internet resources– Collaborative effort by all RIRs
• Initiative from APNIC to– Improve the security of inter-domain routing– Augment the information published in the Whois database with a
verifiable form of a holder's current right-of-use over an Internet resource
172
APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use
Route Origin Authorization (ROA)
• A digital object that contains a list of address prefixes and an AS number
• It is an authority created by a prefix holder to authorize an ASN to originate one or more specific route advertisements
• Create ROA objects using MyAPNIC
173
Activate RPKI Engine
174
Create ROA Objects
175
ROA Suggestions
176
Ready to ROA
• ROA sessions conducted at different events to help Members explore resource certification
• Join the ROA sessions• Check out the APNIC page
– http://www.apnic.net/roa
177
178
www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir
179
180180
Thank You!END OF SESSION